If you take the trouble to read PayPal’s FAQ it is much more accurate: it says that their 2FA makes "your account more resistant to intrusion", which is entirely true. But the coverage did make me reflect on some of the discussions at the 2FA session I chaired at RSA Europe. No-one wants consumers to get into a situation where they have to carry a string of security fobs to carry around. Nor is it necessarily optimal for one fob (eg, PayPal’s) to become the de facto standard for access to everything from World of Warcraft to Fifth Third Bank (who seem to be the target of 97% of the bank phishes in my inbox). I would much prefer the "white token" solution, as we used to discuss in the early days of multi-application smart cards, where the customer takes responsibility for stronger authentication and goes any buys (let says) an OATH-compliant USB key which they then register with their bank, their retailers, their MMORGS, their social networks and so forth.
Incidentally, it is not idle speculation to consider how criminals might subvert 2FA to steal money from online bank accounts because they’ve already done it to Nordea, a bank with a long history of using 2FA. Nordea say that over the last 15 months their customers have been targeted by e-mails (from, the Swedish police believe, Russian organised crime) containing a Trojan. The e-mail encouraged customers to download a "spam fighting" application which was actually Haxdoor. This installed a key logger. The Trojan activated when customers attempted to log in to the Nordea online banking site: customers were redirected to a fake bank site and then asked for 2FA authentication. The customers were then presented with a notice telling them that the Nordea site was experiencing technical difficulties and could they please log in later on. Meanwhile, the criminals had logged in to the actual bank account and started transferring money out. Over a million dollars has been stolen from 250 customer accounts.
2FA is a first step, but it is not the foundation of sustainable digital identity in this form. We have to move to end-to-end security. PKI in smart cards, for example. How this might happen is a business issue, of course. In government, it’s a different matter because tokens can be mandated. In the U.S. case, the Federal Government’s HSPD-12 migration (which means using PKI, smart cards and biometrics) means adding $15 to $20 to the cost of a laptop. This doesn’t sound like much to me. But then I’m not a banker.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]